ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Commented] (WSS-443) Treat tokens received over TLS as "encrypted"
Date Tue, 21 May 2013 11:05:18 GMT


Colm O hEigeartaigh commented on WSS-443:

Hi Marc,

The spec also says (8.3):

"If transport security is used, the signature (Sig2) MUST cover the message timestamp as illustrated"

So in this case, the key associated with the Subject of the SAML Token is used to sign the
message Timestamp.

> Treat tokens received over TLS as "encrypted"
> ---------------------------------------------
>                 Key: WSS-443
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0
> The streaming WS-Security code treats a UsernameToken received over TLS as a SignedSupportingToken.
However, it doesn't treat it in the same way for encryption.
> In other words, a UsernameToken received over TLS should satisfy a SignedEncryptedSupportingToken
> Clarification: This seems to work when the policy is that of EncryptedSupportingToken,
but not that of a SignedEncryptedSupportingToken.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message